Page 6 - Cyber Warnings
P. 6
its value will have exponentially diminished. Consider this an addition as your organization
matures along the security maturity framework.
3) Standards, yes please. It’s good for you and good for everyone when standards are
utilized because it makes it easier to communicate and share security intelligence. But being
rigid and not having the graciousness to support other methods of information exchange is
not acceptable. STIX and TAXII are growing as the leading standards for threat intelligence
sharing and are supported by numerous ISACs for disseminating industry specific threat
intelligence to their members. Large security vendors are slowly adopting these standards to
share across heterogeneous connected and diverse technologies. With any language or
protocol there is the concern about the degeneration from proper and formal usage.
Adopting a standard but doing so at a very basic level introduces the risk of inconsistency
(syntax is designed to showcase the richness of the standard) when it is not fully utilized or
kept intact the standard loses value. We’ve all lived through the implementation of one kind
of standard or another and the hard lessons learned when it’s uncovered that support has
various interpretations and adherences. Identify early on the robustness of the utilization of
security standards across your organization and vendors, and create a support mechanism
for alternative ad-hoc and unstructured threat intelligence for when you need to add sources
and connections that cannot be delivered via standard methods.
4) Threat analytics is tedious, it’s okay to get help. Not everyone enjoys security threat
analytics, nor do they have the advanced in-house resources to perform this activity.
Machine-learning based security analytics is a way to augment existing skills and personnel,
or for some organizations get them to the next level of maturity. Automation and analytics
are the tools of our adversaries, if you are not yet using or considering this major change
you will continue to be burdened with artifact repositories, and document management that
is error prone. Analytics help security operation centers to be more efficient; spend less time
on the lower value threat indicators such as hash values, IP address, and domain names
from the aggregated threat intelligence sources; and to get insight to the bigger picture of
seeing changing trends and emerging risks. Ideally getting insight to the tactics, threat
techniques and procedures (TTP) is the goal, while the IP, domains, and hashes used can
be easily changed. Having analytics identify what is relevant to your organization and give
an initial risk score based on behaviors analyzed and enriched from multiple threat sources
provides actionable intelligence. Analytics tools should always have the flexibility to adjust
the findings to reflect your unique organization’s expertise to reduce false positive and
elevate the score for sightings that may be riskier based on insider information.
5) Embrace community and gatherings. Security professionals like other professions can
benefit from networking and sharing. There have always been grass roots sharing, via
interpersonal relationships, email, gatherings, and other means. The growth of industry
specific ISAC/ISAO organizations and the passing of Cybersecurity Information Sharing Act
now provide more opportunities for both the private and public sectors to participate. As
organizations look to build trusted relationships, sharing should go beyond the community
6 Cyber Warnings E-Magazine – February 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
